From 676d10819d835964d01696d42289980e995a7e42 Mon Sep 17 00:00:00 2001 From: Girish BN Date: Mon, 29 Apr 2024 16:10:54 +0530 Subject: [PATCH] BT-Kernel : use-after-free in BT power driver - after freed bt_power_release accessing the variables. Change-Id: I3007c9717d7504e2fc1598d0c848421735372159 Signed-off-by: Girish BN --- include/btpower.h | 1 + pwr/btpower.c | 12 +++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/include/btpower.h b/include/btpower.h index 075dd03745..dc66b06c36 100644 --- a/include/btpower.h +++ b/include/btpower.h @@ -676,6 +676,7 @@ struct platform_pwr_data { struct work_struct wq_pwr_voting; struct sk_buff_head rxq; struct mutex pwr_mtx; + struct mutex pwr_release; }; int btpower_register_slimdev(struct device *dev); diff --git a/pwr/btpower.c b/pwr/btpower.c index c36df23461..9efe3dd18f 100644 --- a/pwr/btpower.c +++ b/pwr/btpower.c @@ -1576,6 +1576,7 @@ static int bt_power_probe(struct platform_device *pdev) skb_queue_head_init(&pwr_data->rxq); mutex_init(&pwr_data->pwr_mtx); mutex_init(&pwr_data->btpower_state.state_machine_lock); + mutex_init(&pwr_data->pwr_release); pwr_data->btpower_state.power_state = IDLE; pwr_data->btpower_state.retention_mode = RETENTION_IDLE; pwr_data->btpower_state.grant_state = NO_GRANT_FOR_ANY_SS; @@ -1621,20 +1622,21 @@ static int bt_power_probe(struct platform_device *pdev) return 0; free_pdata: + mutex_lock(&pwr_data->pwr_release); kfree(pwr_data); + mutex_unlock(&pwr_data->pwr_release); return ret; } static int bt_power_remove(struct platform_device *pdev) { + mutex_lock(&pwr_data->pwr_release); dev_dbg(&pdev->dev, "%s\n", __func__); - probe_finished = false; btpower_rfkill_remove(pdev); bt_power_vreg_put(); - kfree(pwr_data); - + mutex_unlock(&pwr_data->pwr_release); return 0; } @@ -2514,6 +2516,9 @@ static long bt_ioctl(struct file *file, unsigned int cmd, unsigned long arg) static int bt_power_release(struct inode *inode, struct file *file) { + + mutex_lock(&pwr_data->pwr_release); + if (!pwr_data || !probe_finished) { pr_err("%s: BTPower Probing Pending.Try Again\n", __func__); return -EAGAIN; @@ -2561,6 +2566,7 @@ static int bt_power_release(struct inode *inode, struct file *file) */ } } + mutex_unlock(&pwr_data->pwr_release); return 0; }